On 11/01/2017 02:56 PM, How Rude ! wrote:

Also: blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

JS;DR: All computers are fucked.

Now that's music to every clueless luser's ears: "Don't waste a moment of time or give up an inch of convenience for security, because there is no such thing as security." Not only does this justify the lusers' categorical refusal to spend a moment of time or give up an inch of convenience, it also assures them that they are /smarter/ than people who do give a damn about network security. Whether any given computer is fucked on a given day depends on many factors. Network security begins with a threat model: Who might want to steal or destroy your data, what resources do they have, and if an adversary is successful what do you stand to lose? Next look at the methods for locking those particular adversaries out, and the cost in $$ and time for doing so: Compare the price of a solid defense to the value of what you are defending: When it costs more to defend an asset than it is worth, you lose. When it costs less to defend an asset than it is worth, you win. It is almost always orders of magnitude easier and cheaper to defend a computer than to attack one - IF one starts with tools that CAN be secured, which rules out Microsoft operating systems and software. Where and as security fail is unavoidable - i.e. your shop needs a commercial software package that will not run on anything but a Microsoft OS - the value of the work product will justify the costs (including minor personal inconvenience) of properly quarantining the machine(s) it lives on. If not, you don't really need that work product and the problem solves itself the cheap way: "We stopped using that." As a bonus, defending digital assets from one's "most serious" adversaries will automatically defend those assets from lesser beings. Perfect or absolute security does not exist because it can not exist: But almost anyone can afford a good enough security model to reduce the odds of serious security incidents per decade from near certainty to a low single digit percentage. Network security axiom: User refusal is the principal barrier to secure networking. :o/